From 2735cfee64fff88a13b9990fbd9d4cfcfd7d739b Mon Sep 17 00:00:00 2001 From: Ruslan Ermilov Date: Tue, 26 Mar 2002 12:52:28 +0000 Subject: [PATCH] Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde --- crypto/openssh/auth1.c | 11 ++--------- crypto/openssh/auth2.c | 12 ++---------- etc/pam.d/sshd | 1 + secure/usr.sbin/sshd/Makefile | 8 +++----- 4 files changed, 8 insertions(+), 24 deletions(-) diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 54a23d5e1a4e..9611c6d58fee 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -88,12 +88,12 @@ do_authloop(Authctxt *authctxt) #ifdef USE_PAM struct inverted_pam_cookie *pam_cookie; #endif /* USE_PAM */ -#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) +#if defined(HAVE_LOGIN_CAP) const char *from_host, *from_ip; from_host = get_canonical_hostname(options.verify_reverse_mapping); from_ip = get_remote_ipaddr(); -#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ +#endif /* HAVE_LOGIN_CAP */ debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "illegal user ", authctxt->user); @@ -369,13 +369,6 @@ do_authloop(Authctxt *authctxt) lc = NULL; } #endif /* HAVE_LOGIN_CAP */ -#ifdef LOGIN_ACCESS - if (pw != NULL && !login_access(pw->pw_name, from_host)) { - log("Denied connection for %.200s from %.200s [%.200s].", - pw->pw_name, from_host, from_ip); - packet_disconnect("Sorry, you are not allowed to connect."); - } -#endif /* LOGIN_ACCESS */ #ifdef BSD_AUTH if (authctxt->as) { auth_close(authctxt->as); diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index 1592da217eda..117415da89bc 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -174,12 +174,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #ifdef HAVE_LOGIN_CAP login_cap_t *lc; #endif /* HAVE_LOGIN_CAP */ -#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) +#if defined(HAVE_LOGIN_CAP) const char *from_host, *from_ip; from_host = get_canonical_hostname(options.verify_reverse_mapping); from_ip = get_remote_ipaddr(); -#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ +#endif /* HAVE_LOGIN_CAP */ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); @@ -238,14 +238,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) lc = NULL; } #endif /* HAVE_LOGIN_CAP */ -#ifdef LOGIN_ACCESS - if (authctxt->pw != NULL && - !login_access(authctxt->pw->pw_name, from_host)) { - log("Denied connection for %.200s from %.200s [%.200s].", - authctxt->pw->pw_name, from_host, from_ip); - packet_disconnect("Sorry, you are not allowed to connect."); - } -#endif /* LOGIN_ACCESS */ /* reset state */ auth2_challenge_stop(authctxt); authctxt->postponed = 0; diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd index 8dbb05fb0db9..9ec85e7194a6 100644 --- a/etc/pam.d/sshd +++ b/etc/pam.d/sshd @@ -9,6 +9,7 @@ auth required pam_nologin.so no_warn auth required pam_unix.so no_warn try_first_pass # account +account required pam_login_access.so account required pam_unix.so # session diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index bf22015312d5..f453bc1ff4ca 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -1,17 +1,15 @@ # $FreeBSD$ # -LOGINSRC= ${.CURDIR}/../../../usr.bin/login - PROG= sshd SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ sshpty.c sshlogin.c servconf.c serverloop.c \ auth.c auth1.c auth2.c auth-options.c session.c \ auth-chall.c auth2-chall.c auth-skey.c auth-pam.c auth2-pam.c \ - groupaccess.c login_access.c + groupaccess.c MAN= sshd.8 -CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DLOGIN_ACCESS -I${LOGINSRC} -DUSE_PAM -DHAVE_PAM_GETENVLIST +CFLAGS+= -DLIBWRAP -DHAVE_LOGIN_CAP -DUSE_PAM -DHAVE_PAM_GETENVLIST .if defined(MAKE_KERBEROS4) && \ ((${MAKE_KERBEROS4} == "yes") || (${MAKE_KERBEROS4} == "YES")) @@ -44,4 +42,4 @@ DPADD+= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPA .include -.PATH: ${SSHDIR} ${LOGINSRC} +.PATH: ${SSHDIR}